众所周知Hadoop安全模块不存储用户和用户组信息,而是依赖Linux系统的用户和用户组。同时在集群开启安全认证模式之后,需要映射Kerberos Principle到Linux的用户以及映射用户到用户组。那么随之而来的问题是如何统一管理用户信息。
安装配置
1. 选择一台主机安装openldap服务
yum -y install openldap openldap-clients openldap-servers migrationtools openldap-devel nss- pam-ldapd bind-dyndb-ldap compat-openldap perl-LDAP krb5-server-ldap php-ldap openssl
2. 查看安装的rpm包
rpm -qa |grep openldap 或者 slapd -VV
3. 修改 slapd.ldif
cd /usr/share/openldap-servers
cp slapd.ldif /root/
vim slapd.ldif
#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# TLS settings
#
# olcTLSCACertificatePath: /etc/openldap/certs
# olcTLSCertificateFile: "OpenLDAP Server"
# olcTLSCertificateKeyFile: /etc/openldap/certs/password
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#
#olcReferral: ldap://root.openldap.org
#
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 64-bit encryption for simple bind
#
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64
#
# Load dynamic backend modules:
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la backend requires openldap-servers-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
#
#dn: cn=module,cn=config
#objectClass: olcModuleList
#cn: module
#olcModulepath: /usr/lib/openldap
#olcModulepath: /usr/lib64/openldap
#olcModuleload: accesslog.la
#olcModuleload: auditlog.la
#olcModuleload: back_dnssrv.la
#olcModuleload: back_ldap.la
#olcModuleload: back_mdb.la
#olcModuleload: back_meta.la
#olcModuleload: back_null.la
#olcModuleload: back_passwd.la
#olcModuleload: back_relay.la
#olcModuleload: back_shell.la
#olcModuleload: back_sock.la
#olcModuleload: collect.la
#olcModuleload: constraint.la
#olcModuleload: dds.la
#olcModuleload: deref.la
#olcModuleload: dyngroup.la
#olcModuleload: dynlist.la
#olcModuleload: memberof.la
#olcModuleload: pcache.la
#olcModuleload: ppolicy.la
#olcModuleload: refint.la
#olcModuleload: retcode.la
#olcModuleload: rwm.la
#olcModuleload: seqmod.la
#olcModuleload: smbk5pwd.la
#olcModuleload: sssvlv.la
#olcModuleload: syncprov.la
#olcModuleload: translucent.la
#olcModuleload: unique.la
#olcModuleload: valsort.la
#
# Schema settings
#
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
# 注意添加顺序
include: file:///etc/openldap/schema/corba.ldif
include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/duaconf.ldif
include: file:///etc/openldap/schema/dyngroup.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/java.ldif
include: file:///etc/openldap/schema/misc.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/ppolicy.ldif
include: file:///etc/openldap/schema/collective.ldif
#
# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#
#
# Configuration database
#
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" manage by * none
#
# Server status monitoring
#
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth" read by dn.base="cn=Manager,dc=xxx,dc=com" read by * none
#
# Backend database definitions
#
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=xxx,dc=com
olcRootPW: 密码
olcRootDN: cn=Manager,dc=xxx,dc=com
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
olcDbIndex: uidNumber,gidNumber,loginShell eq,pres
olcDbIndex: uid,memberUid eq,pres,sub
olcDbIndex: nisMapName,nisMapEntry eq,pres,sub
4. 重新生成openldap配置
rm -rf /etc/openldap/slapd.d/*
slapadd -F /etc/openldap/slapd.d -n 0 -l /root/slapd.ldif
5. 测试配置文件是否正确
slaptest -u -F /etc/openldap/slapd.d
6. 修改配置文件属主
chown -R ldap. /etc/openldap/slapd.d/
7. 配置openldap数据库文件
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap. /var/lib/ldap/
8. 启动服务
systemctl enable slapd #自启动
systemctl start slapd
systemctl status slapd
以上安装配置已完成
导入根域和管理员账号
1. 准备ldif文件
vim root.ldif
dn: dc=raipeng,dc=com
dc: raipeng
objectClass: top
objectClass: domain
dn: cn=Manager,dc=raipeng,dc=com
objectClass: organizationalRole
cn: Manager
注意: ldif文件格式严格限制冒号后面有一个空格, 每个配置要空一行
2. 导入及查看
# 导入
ldapadd -D "cn=Manager,dc=xxx,dc=com" -W -x -f root.ldif
# 查看
# servernode1.xxx.com 是服务器的hostname, IP也可以
ldapsearch -h servernode1.xxx.com -b "dc=,dc=com" -D "cn=Manager,dc=xxx,dc=com" -W
3.创建2个主要节点导入(一般情况)
dn: ou=People,dc=xxx,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=xxx,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
其中People放用户, Group放用户组
最后
我们在使用ldap时, 根据自己实际情况去创建其他节点
往ldap里面插入数据, 可以通过以下一些方式:
- 手写ldif脚本,执行
- 编写程序自动生成ldif脚本,执行
- ldap连接工具, 良好的可视化去增删改查
本文参考
如何在RedHat7上安装OpenLDA并配置客户端